I read about a new phishing attack http://bgr.com/2017/03/15/gmail-phishing-scam-2017-how-to-avoid/ that is spreading on Gmail.

It embeds a image that looks like an email attachment on Gmail. When clicked upon it takes the user to a new sign in page beginning with "data:text/html" and contains the normal Google URL after that and looks exactly like the Google sign-in page too, so it isn't exactly clear that the page is different from the actual one, this page is actually an iframe of the phishing page.

Since the image is embedded in the email it doesn't matter if you have external images turned off the fake attachment image will still load. The latest Google Chrome version now contains a "Not secure" warning in the address bar on non "https://" pages with login functionality so it might help some users (https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/). But a lot of users use other browsers as well such as Firefox.

A lot of users are falling for this even the more "technical" ones: https://twitter.com/tomscott/status/812265182646927361, http://blog.greggman.com/blog/getting-phished/

It is quite interesting how the perpetrators of these phishing attacks are trying even more sophisticated methods of exploitation to extort data from users.

Thanks for passing that along I would have almost fallen for it if not for the bcc. That would have raised an eyebrow for me.

The emails were sent from from accounts of people they knew which were probably hacked after a successful phishing attack. This one can also be done without sending a bcc.

I definitely would've fallen for it, just look at its ingenious technique:
It came from someone I know that amounts to me instantly opening it. Oh an attachment probably an image let me open it. Then the new tab opens with the title "You've been signed out" (This is brilliant as Google often does ask for repeat sign-ins randomly). I sign-in and I am done for.

What would probably have saved me is dealing with the data:text ads (thanks EasyList forums).

Another interesting read about this attack https://news.ycombinator.com/item?id=13373327.